Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
On Tue, Nov 29, 2016 at 01:33:54PM +0100, Raphael Hertzog wrote:
> On Tue, 29 Nov 2016, Roberto C. Sánchez wrote:
> > Hi Raphael,
> >
> > On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote:
> > > Hi,
> > >
> > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > > > Quite right:
> > > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
> > >
> > > Somme comments:
> > > - since we have no git history, it's nice to indicate in each patch what
> > > CVE it fixes (I like to name the patch according to the CVE it fixes too)
> > > here, I have to lookup the upstream ticket or commit to find out and in many
> > > cases, it's no longer possible since the patch refers to a
> > > trac.imagemagick.org URL which no longer exists and/or the commit does
> > > not have the CVE number :(
> >
> > My initial post to the list had a question about how to handle the
> > issues without a CVE ID in the DLA. The suggestion was to annotate the
>
> Right, but when I look at
> https://security-tracker.debian.org/tracker/source-package/imagemagick
> most of the issues have CVE numbers assigned. And while you have put
> the CVE numbers in the changelog, they are not in the patches themselves
> (and the patch name is not in the changelog either). So it's currently
> hard to map a patch back to its associated CVE.
>
> My request is thus to include the CVE number (when applicable) in each
> patch directly, either through the filename or in the description (or
> both, which is what I usually do).
>
OK. I missed the part where you said "in each patch." I can certainly
do that.
> > corresponding Debian bug numbers. I can do the same for the changelog
> > entries, assuming that it is not a problem that all those bugs will then
> > have closure notices related to this upload.
>
> No, it's clearly not a problem, on the contrary it will give the BTS a
> more comprehensive view of the fixed versions for each bug.
>
I will update the changelog accordingly.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Reply to:
- References:
- RFC - ImageMagick, proper testing, and handling issues without a CVE ID
- From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
- From: Guido Günther <agx@sigxcpu.org>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
- From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
- From: Raphael Hertzog <hertzog@debian.org>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
- From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
- From: Raphael Hertzog <hertzog@debian.org>